Thoughts on scheduled password changes (don’t call them rotations!)

I think it depends on the account. Forcing the typical unprivileged user to change their password frequently ends up creating bad passwords; MFA them instead. But for admin and high privileged accounts that cannot for whatever reason be protected by MFA or need MFA+password I think rotating them with some frequency helps security. One of the MOs of many advanced attackers is to grab the passwords for later access, or they brute force to get those passwords. Changing will reduce the risk of stolen passwords being used on admin accounts. Obvs this is an org's own risk decision based on their data.